Multivariate Cryptography Part 2: UOV and Rainbow Albrecht Petzoldt - - PowerPoint PPT Presentation

Multivariate Cryptography Part 2: UOV and Rainbow

Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 1 / 34

Oil-Vinegar Polynomials [Pa97]

Let F be a (finite) field. For o, v ∈ N set n = o + v and define p(x1, . . . , xn) =

v

• i=1

v

• j=i

αij · xi · xj

• v×v terms

+

v

• i=1

n

• j=v+1

βij · xi · xj

• v×o terms

+

n

• i=1

γi · xi

• linear terms

+δ x1, . . . , xv: Vinegar variables xv+1, . . . , xn: Oil variables not fully mixed: no o × o terms

quadratic quadratic linear in v linear in o δ

v × v terms v × o terms o × o terms v terms

• terms
• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 2 / 34

Oil-Vinegar Polynomials (2)

Let ˜ p(x1, . . . , xn) be the homogeneous quadratic part of p(x1, . . . , xn) ˜ p can be written as quadratic form ˜ p(x1, . . . , xn) = (x1, . . . , xn) · M ·

  

x1 . . . xn

   with

M =

          

⋆ . . . ⋆ ⋆ . . . ⋆ . . . . . . . . . . . . ⋆ . . . ⋆ ⋆ . . . ⋆ ⋆ . . . ⋆ . . . . . . . . . . . . . . . ⋆ . . . ⋆ . . .

          

v v

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 3 / 34

The Oil and Vinegar Signature Scheme - Key Generation

Parameters: finite field F, integers o, v, set n = o + v central map F : Fn → Fo consists of o Oil-Vinegar polynomials f (1), . . . , f (o), i.e. f (k) =

v

• i=1

v

• j=1

α(k)

ij xixj + v

• i=1

n

• j=v+1

β(k)

ij xixj + n

• i=1

γ(k)

i

xi + δ(k) with α(k)

ij , β(k) ij , γ(k) i

and δ(k) ∈R F (1 ≤ k ≤ o). Compose F with a randomly chosen invertible affine map T : Fn → Fn public key: P = F ◦ T : Fn → Fo private key: F, T

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 4 / 34

Inversion of the central map

Each central polynomial has the form

quadratic quadratic linear in v linear in o δ

v × v terms v × o terms o × o terms v terms

• terms
• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 5 / 34

Inversion of the central map

Each central polynomial has the form

quadratic quadratic linear in v linear in o δ

v × v terms v × o terms o × o terms v terms

• terms

Choose random values for the Vinegar variables x1, . . . , xv

constant linear in o constant linear in o δ

v × v terms v × o terms o × o terms v terms

• terms

⇒ Linear equation in the o Oil variables

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 6 / 34

Inversion of the central map (2)

Altogether we get o linear equations in the o variables xv+1, . . . , xn ⇒ xv+1, . . . , xn can be recovered by Gaussian elimination If the system has no solution, choose other values for the Vinegar variables x1, . . . , xv and try again.

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 7 / 34

Toy Example

F = GF(7) and o = v = 2 F = (f (1), f (2)) with

f (1)(x) = 2x 2

1 + 3x1x2 + 6x1x3 + x1x4 + 4x 2 2 + 5x2x4 + 3x1 + 2x2 + 5x3 + x4 + 6,

f (2)(x) = 3x 2

1 + 6x1x2 + 5x1x4 + 3x 2 2 + 5x2x3 + x2x4 + 2x1 + 5x2 + 4x3 + 2x4 + 1.

Goal: Find a pre image x = (x1, x2, x3, x4) of w = (3, 4) under the central map F. Choose random values for x1 and x2, e.g. (x1, x2) = (1, 4), and substitute them into f (1) and f (2) ⇒ ˜ f (1)(x3, x4) = 4x3 + x4 + 4, ˜ f (2)(x3, x4) = 3x3 + 4x4 Solve linear system ˜ f (1) = w1 = 3, ˜ f (2) = w2 = 4 ⇒ (x3, x4) = (1, 2) The pre image of w is x = (1, 4, 1, 2).

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 8 / 34

Signature Generation

Given: message d

1 Use a hash function H : {0, 1}⋆ → Fo to compute w = H(d) 2 Compute a pre-image x ∈ Fn of w under the central map F ◮ Choose random values for the Vinegar variables x1, . . . , xv and

substitute them into the central map polynomials f (1), . . . , f (o)

◮ Solve the resulting linear system for the Oil variables xv+1, . . . , xn ◮ If the system has no solution, choose other values for the Vinegar

variables and try again.

3 Compute the signature z ∈ Fn by z = T −1(x).

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 9 / 34

Signature Verification

Given: message d, signature z ∈ Fn

1 Compute w = H(d). 2 Compute w′ = P(z).

Accept the signature ⇔ w = w

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 10 / 34

The attack of Kipnis and Shamir on balanced OV [KS98]

Define O := {x ∈ Fn : x1 = . . . = xv = 0} “Oilspace” V := {x ∈ Fn : xv+1 = . . . = xn = 0} “Vinegarspace” Let E be an “OV-matrix”, i.e. E =

• ⋆

⋆ ⋆

• and o ∈ O. Then we have

E · o ∈ V or E · O ⊂ V. Analogously, we get E −1 · V ⊂ O. For two OV matrices E and F we therefore get (F −1 · E) · O ⊂ O, i.e. O is an invariant subspace of the matrix F −1 · E.

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 11 / 34

OV Attack (2)

Let Gi be the matrix representing the homogeneous quadratic part of the i-th public polynomial. Then we have Gi = T T · Ei · T, with E being an OV-matrix and T being the matrix representing T . Let

• ∈ O and v = T −1(o). We therefore get

(G−1

j

Gi) · v = (T −1 · E −1

j

· (T T)−1 · T T · Ei · T) · T −1(o) = T −1 · E −1

j

· Ei · o ∈ T −1(O), i.e. T −1(O) is an invariant subspace of the matrix (G−1

j

· Gi).

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 12 / 34

OV Attack (3)

1 Choose an index j ∈ {1, . . . , o} such that Gj is invertible and compute

G−1

j

· Gi

2 Compute the inverant subspaces of G−1

j

· Gi ⇒ Separation of Oil and Vinegar Variables ⇒ Find equivalent affine transformation T ⇒ Find equivalent central map F by F = P ◦ T −1

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 13 / 34

OV Attack - Summary

The attack breaks the balanced OV scheme in polynomial time. The attack works also for v < o For v > o the complexity of the attack is about qv−o · o4. ⇒ Choose v ≈ 2 · o (unbalanced Oil and Vinegar (UOV)) [KP99]

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 14 / 34

Other Attacks

Collision Attack: To prevent collision attacks against the hash function, one needs o ≥

seclev Log2(q).

Direct Attack: Try to solve the public equation P(z) = w as an instance of the MQ-Problem ⇒ public systems of UOV behave much like random systems However: The public systems of UOV are highly underdetermined (n = 3 · m) Result [Thomae]: A multivariate system of m equations in n = ω · m variables can be solved in the same time as a determined system of m − ⌊ω⌋ + 1 equations. ⇒ m has to be increased by 2.

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 15 / 34

Other Attacks (2)

UOV-Reconciliation attack: Try to find a linear transformation T which transforms the public matrices Gi into the form of UOV matrices (T T)−1 · Gi · T −1 =

• ⋆

⋆ ⋆

• ⇒ Each Zero-term yields a quadratic equation in the elements of T.

⇒ T can be recovered by solving several systems of multivariate quadratic equations

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 16 / 34

Parameters

security public key private key hash size signature level (bit) scheme size (kB) size (kB) (bit) (bit) 80 UOV(GF(16),40,80) 144.2 135.2 160 480 UOV(GF(256),27,54) 89.8 86.2 216 648 100 UOV(GF(16),50,100) 280.2 260.1 200 600 UOV(GF(256), 34,68) 177.8 168.3 272 816 128 UOV(GF(16),64,128) 585.1 538.1 256 768 UOV(GF(256),45,90) 409.4 381.8 360 1,080 192 UOV(GF(16),96,192) 1,964.3 1,786.7 384 1,152 UOV(GF(256),69,138) 1,464.6 1,344.0 552 1,656 256 UOV(GF(16),128,256) 4,644.1 4,200.3 512 1,536 UOV(GF(256),93,186) 3,572.9 3,252.2 744 2,232

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 17 / 34

UOV - Summary

unbroken since 1999 ⇒ high confidence in security not the fastest multivariate scheme very large key sizes (comparably) large signatures ⇒ Can we do better?

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 18 / 34

The Rainbow Signature Scheme

proposed in 2005 by J. Ding and D. Schmidt [DS05] multi layer version of UOV reduces number of variables in the public key ⇒ better performance ⇒ smaller key sizes ⇒ smaller signatures

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 19 / 34

Key Generation

Finite field F, integers 0 < v1 < · · · < vu < vu+1 = n. Set Vi = {1, . . . , vi}, Oi = {vi + 1, . . . , vi+1}, oi = vi+1 − vi. Central map F consists of m = n − v1 polynomials f v1+1, . . . , f (n) of the form f (k) =

• i,j∈Vℓ

α(k)

ij xixj +

• i∈Vℓ,j∈Oℓ

β(k)

ij xixj +

• i∈Vℓ∪Oℓ

γ(k)

i

xi + δ(k), with coefficients α(k)

ij , β(k) ij , γ(k) i

and δ(k) randomly chosen from F and ℓ being the only integer such that k ∈ Oℓ. Choose randomly two affine (or linear) transformations S : Fm → Fm and T : Fn → Fn. public key: P = S ◦ F ◦ T : Fn → Fm private key: S, F, T

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 20 / 34

Rainbow schemes with two layers

F (k) = v1 v2 n v1 v2 n F (k) = v1 v2 n v1 v2 n v1 + 1 ≤ k ≤ v2 v2 + 1 ≤ k ≤ n

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 21 / 34

Inversion of the central map

Idea: Invert the single UOV layers recursively. Use the variables of the i-th layer as the Vinegar variables of the i + 1-th layer. Input: Rainbow central map F = (f (v1+1), . . . , f (n)), vector y ∈ Fm. Output: vector x ∈ Fn with F(x) = y.

1: Choose random values for the variables x1, . . . , xv1 and substitute

these values into the polynomials f (i) (i = v1 + 1, . . . n).

2: for ℓ = 1 to u do 3:

Perform Gaussian Elimination on the polynomials f (i) (i ∈ Oℓ) to get the values of the variables xi (i ∈ Oℓ).

4:

Substitute the values of xi (i ∈ Oℓ) into the polynomials f (i) (i = vℓ+1 + 1, . . . , n).

5: end for

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 22 / 34

Rainbow Schemes with two layers

The central map F consists of quadratic polynomials of two types

0 ⋆ ⋆

quadratic terms linear in V1 linear in O1 linear in O2

V1 × V1 V1 × O1 O1 × O1 V1 × O2 O1 × O2 O2 × O2 V1 O1 O2

• 1. Layer
• 2. Layer
• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 23 / 34

Rainbow Schemes with two layers

Step 1: Choose random values for the Vinegar variables x1, . . . , xv1 and substitute them into the central polynomials

⋆ ⋆ 0 ⋆ ⋆ ⋆ ⋆

quadratic terms linear in V1 linear in O1 linear in O2

V1 × V1 V1 × O1 O1 × O1 V1 × O2 O1 × O2 O2 × O2 V1 O1 O2

• 1. Layer
• 2. Layer
• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 24 / 34

Rainbow Schemes with two layers

Step 2: Solve the o1 linear equations given by the polynomials of the first layer for xv1+1, . . . , xv2 and substitute into the polynomials of the second layer

⋆ ⋆ ⋆ ⋆ ⋆ ⋆ ⋆

quadratic terms linear in V1 linear in O1 linear in O2

V1 × V1 V1 × O1 O1 × O1 V1 × O2 O1 × O2 O2 × O2 V1 O1 O2

• 1. Layer
• 2. Layer
• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 25 / 34

Rainbow Schemes with two layers

Step 3: Solve the o2 linear equations given by the o2 polynomials of the second layer for xv2+1, . . . , vn.

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 26 / 34

Toy Example

F = GF(7), (v1, o1, o2) = (2, 2, 2) central map F = (f (3), . . . , f (6)) with

f (3) = x 2

1 + 3x1x2 + 5x1x3 + 6x1x4 + 2x 2 2 + 6x2x3 + 4x2x4 + 2x2 + 6x3 + 2x4 + 5,

f (4) = 2x 2

1 + x1x2 + x1x3 + 3x1x4 + 4x1 + x 2 2 + x2x3 + 4x2x4 + 6x2 + x4,

f (5) = 2x 2

1 + 3x1x2 + 3x1x3 + 3x1x4 + x1x5 + 3x1x6 + 6x1 + 4x 2 2 + x2x3 + 4x2x4

+ x2x5 + 3x2x6 + 3x2 + 3x3x4 + x3x5 + 2x3x6 + 2x3 + 3x4x5 + x5 + 6x6, f (6) = 2x 2

1 + 5x1x2 + x1x3 + 5x1x4 + 5x1x6 + 6x1 + 5x 2 2 + 3x2x3 + 5x2x5 + 4x2x6

+ x2 + 3x 2

3 + 5x3x4 + 4x3x5 + 2x3x6 + 4x3 + x 2 4 + 6x4x5 + 3x4x6

+ 4x4 + 4x5 + x6 + 2.

Goal: Find pre image x ∈ F6 of y = (6, 2, 0, 5) under the map F

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 27 / 34

Toy Example (2)

Choose random values for the Vinegar variables x1 and x2, e.g. (x1, x2) = (0, 1) and substitute them into the polynomials f (3), . . . , f (6).

˜ f (3) = 5x3 + 6x4 + 2, ˜ f (4) = x3 + 5x4, ˜ f (5) = 3x3x4 + x3x5 + 2x3x6 + 3x3 + 3x4x5 + 4x4 + 2x5 + 2x6, ˜ f (6) = 3x 2

3 + 5x3x4 + 4x3x5 + 2x3x6 + x 2 4 + 6x4x5 + 3x4x6 + 4x4 + 2x5 + 5x6 + 1.

Set ˜ f (3) = y1 = 6 and ˜ f (4) = y2 = 2 and solve for x3, x4 ⇒ (x3, x4) = (3, 4) Substitute into ˜ f (5) and ˜ f (6) ⇒ ˜ ˜ f (5) = 3x5 + x6 + 5, ˜ ˜ f (6) = 3x5 + 2x6 + 1 Set ˜ ˜ f (5) = y3 = 0 and ˜ ˜ f (6) = y4 = 5, solve for x5 and x6 ⇒ (x5, x6) = (0, 2) A pre image of y = (6, 2, 0, 5) is given by x = (0, 1, 3, 4, 0, 2).

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 28 / 34

Signature Generation

Given: message d

1 Use a hash function H : {0, 1} → Fm to compute w = H(d) ∈ Fm 2 Compute x = S−1(w) ∈ Fm. 3 Compute a pre-image y ∈ Fn of x under the central map F 4 Compute the signature z ∈ Fn by z = T −1(y).

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 29 / 34

Signature Verification

Given: message d, signature z ∈ Fn

1 Compute w = H(d). 2 Compute w′ = P(z).

Accept the signature z ⇔ w′ = w.

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 30 / 34

Security

Rainbow is an extension of UOV ⇒ All attacks against UOV can be used against Rainbow, too. Additional structure of the central map allows several new attacks MinRank Attack: Look for linear combinations of the matrices Gi of low rank HighRank Attack: Look for the linear representation of the variables appearing the lowest number of times in the central polynomials. Rainbow-Band-Separation Attack: Variant of the UOV-Reconciliation Attack using the additional Rainbow structure [DY08] ⇒ Parameter Selection for Rainbow is a challenging task

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 31 / 34

Parameters

security parameters public key private key hash size signature level (bit) F, v1, o1, o2 size (kB) size (kB) (bit) (bit) 80 GF(16),17,20,20 33.4 22.3 160 228 GF(256),19,12,13 25.3 19.3 200 352 100 GF(16),22,25,25 65.9 43.2 200 288 GF(256), 27,16,16 57.2 44.3 256 472 128 GF(16),28,32,32 136.6 87.6 256 368 GF(256),36,21,22 136.0 102.5 344 632 192 GF(16),45,48,48 475.9 301.8 384 564 GF(256),58,33,34 523.5 385.5 536 1,000 256 GF(16),66,64,64 1,194.4 763.9 512 776 GF(256),86,45,46 1,415.7 1,046.3 728 1,416

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 32 / 34

Rainbow - Summary

no weaknesses found since 2005 very efficient, much faster than RSA suitable for low cost devices shorter signatures and smaller key sizes than UOV ⇒ Good candidate for the upcoming standardization process of post-quantum signature schemes

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 33 / 34

References

Pa97 J. Patarin: The oil and vinegar signature scheme, presented at the Dagstuhl Workshop on Cryptography (September 97) KS98 A. Kipnis, A. Shamir: Cryptanalysis of the Oil and Vinegar Signature scheme. CRYPTO 1998, LNCS vol. 1462, pp. 257–266. Springer, 1988. KP99 A. Kipnis, J. Patarin, L. Goubin: Unbalanced Oil and Vinegar Schemes. EUROCRYPT 1999. LNCS vol. 1592, pp. 206–222 Springer, 1999. DS05 J. Ding, S. Schmidt: Rainbow, a new multivariate polynomial signature scheme. ACNS 2005. LNCS vol. 3531,

• pp. 164–175 Springer, 2005.

DY08 J. Ding, B.Y. Yang, C.H.O. Chen, M.S. Chen, C.M. Cheng: New Differential-Algebraic Attacks and Reparametrization of

• Rainbow. ACNS 2008, LNCS 5037, pp.242–257, Springer

2008.

• A. Petzoldt

Multivariate Cryptography PQCrypto Summer School 34 / 34